aspose file tools*
The moose likes Servlets and the fly likes handling session time out Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "handling session time out" Watch "handling session time out" New topic
Author

handling session time out

Satish Kumar
Ranch Hand

Joined: Oct 16, 2006
Posts: 85
how can we determine whether a session has been timed out. (to redirect to a custom page if session has been timed out.)
using session.isnew() and isRequestedSessionIdValid() methods from HttpServletRequest returns true even before the login.
what is the way to differentiate the two events 1) before login 2) login and session time out.

please suggest appropriate way to do this.
Phani Burra
Ranch Hand

Joined: Dec 13, 2007
Posts: 52
I would say it would basically depend on where you want to check for the session invalidated condition.

For ex-suppose you have the bank account application,wherein a person logs in the does some transactions in his account. I this case after the login servlet assume that you specified a inactive interval for the session in the login page. Now you are in some other servlet2 which uses the help of servlet3. Now in servlet3 assume that it checks if the inactive interval is crossed and this servlet explicitly invalidates the session using session.invalidate(). Now when you return to the servlet2 when you create the session object using HttpSession.getSession(false) which would return an object only if it is already present, which in this case returns null since the session has been invalidated in servlet3 and so you would now redirect the req to a custom page.

The above example is just one of the cases how you would check for invalidation. So your assumption while you create the session is that it is still valid and not been invalidated explicitly by any other servlet or jsp or timed out by the container. So you would check for invalidation only after the login page. I hope this info helps
Wayan Saryada
Ranch Hand

Joined: Feb 05, 2004
Posts: 105

Hello,

You can check whether a session has been timed out by checking if an attribute is exists in the session object. This attribute was placed there upon a successful login attempt. When you found no attribute in the session you can redirect the user to a login page.

If you want to listen to session creation or destroy event you could implement an HttpSessionListener.


Website: Learn Java by Examples
Satish Kumar
Ranch Hand

Joined: Oct 16, 2006
Posts: 85
by setting an attribute in the session, we can determine whether login has occured or not by i wanted to trigger some action when the user logs in and then click on a link in application after exceeding the session time out idle time.
still i am confused about to know exactly the session timeout has occurred ie a request comes in with a session id of that of expired session
Remko Strating
Ranch Hand

Joined: Dec 28, 2006
Posts: 893
You could use the function request.isRequestedSessionIdValid() from the HttpServletRequest


Request.isRequestedSessionIdValid


Remko (My website)
SCJP 1.5, SCWCD 1.4, SCDJWS 1.4, SCBCD 1.5, ITIL(Manager), Prince2(Practitioner), Reading/ gaining experience for SCEA,
Satish Kumar
Ranch Hand

Joined: Oct 16, 2006
Posts: 85
i could use HttpServletRequest's isRequestedSessionIdValid() method but it would return false for the first time user request a login page. when user reequests login page for the first time, the method returns false and user will be shown the session expiry page instead of a login page.

i want the user to be shown a login page before logging in (even if the user bookmarks the page after login and opens it in a new browser), he should be shown login page, and if clicks on a link on a session expired page, he should be displayed with session expiry message.

i am wondered about doing at the same time as by using isRequestedSessionIdValid() method, it displays a session expiry page even for the first time.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by I Wayan Saryada:
Hello,

You can check whether a session has been timed out by checking if an attribute is exists in the session object. This attribute was placed there upon a successful login attempt. When you found no attribute in the session you can redirect the user to a login page.




This, in my opinion, is, by far, the easiest, and more reliable way to do this.
[ January 02, 2008: Message edited by: Ben Souther ]

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Radhakrishna Bhat
Greenhorn

Joined: Dec 26, 2007
Posts: 10
isnt httpsessionlistener best way?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61413
    
  67

Originally posted by Radhakrishna Bhat:
isnt httpsessionlistener best way?


No. A listener is great for performing out-of-band activities upon session timeout, but is rather useless for determining whether the session had timed out during a request. How, for example, would a servlet, or even a filter, use a listener to determine if the session had timed out or not?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Satish Kumar
Ranch Hand

Joined: Oct 16, 2006
Posts: 85
Originally posted by Ben Souther:




This, in my opinion, is, by far, the easiest, and more reliable way to do this.

[ January 02, 2008: Message edited by: Ben Souther ]


Hi Ben,
this is how i am doing to redirect to login page when user's session has timed out or if the user enter a page (which should accesible after login) url without logging in.
but now how will i redirect to a custom page showing a session expiry message and at the same time redirecting to a login page if accessing a page(which should accesible after login) without logging in.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61413
    
  67

Originally posted by Satish Kumar:
but now how will i redirect to a custom page showing a session expiry message and at the same time redirecting to a login page if accessing a page(which should accesible after login) without logging in.

Why would you want to show the user a session expiry message page? Most apps will simply forward to the login page so that the user can login. If need be, a message can be placed on the login page telling the user that his or her session has expired, but why make them go through an entire page just for a message?
Satish Kumar
Ranch Hand

Joined: Oct 16, 2006
Posts: 85
Originally posted by Bear Bibeault:

Why would you want to show the user a session expiry message page? Most apps will simply forward to the login page so that the user can login. If need be, a message can be placed on the login page telling the user that his or her session has expired, but why make them go through an entire page just for a message?


it's true that most application forward to login page. i had a requirement of showing a custom session expiry page from customer. As you said it is good to have a message placed on the login page, but in this way it will be displayed even for the first request.
Now i realize at the server side, there is no option of differentiating whether the request has come for first time or whether the request comes out with timed out session. correct me if this is false (another interesting thing is that even request.getSession(false) returns true in struts framework)
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Satish Kumar:

(another interesting thing is that even request.getSession(false) returns true in struts framework)


In most settings, getSession(false), session.isNew() and session.isSessionValid() are not very useful anymore.
Since JSPs, and many frameworks create sessions by default, you never really know if you've just created the session or if it was created by another part of the app, container, or framework.

Checking for a particular object in session, is very simple and very reliable.
Satish Kumar
Ranch Hand

Joined: Oct 16, 2006
Posts: 85
Originally posted by Ben Souther:

Checking for a particular object in session, is very simple and very reliable.


i have been doing it by checking for an attribute in session. but i cannot trigger two set of action just by checking an attribute in session.
by checking an attribute in a session, there is now way to know whether to differentiate whether the request has come for first time or whether the request has an session id of a timed out session
Remko Strating
Ranch Hand

Joined: Dec 28, 2006
Posts: 893
Ben Souther,

Thanks for your explanation why you wouldn't use a method from the api for checking if a session is not valid. For me it worked fine, but I'm not using a complicated framework.
Satish Kumar
Ranch Hand

Joined: Oct 16, 2006
Posts: 85
Originally posted by Satish Kumar:


there is now way to know whether to differentiate whether the request has come for first time or whether the request has an session id of a timed out session


Sorry i have mispelt as there is a now way to differentiate. it should be read as no way instead of now way.
infact by using an attribute in session there is no way to differentiate whether the request has come for the first time or with a session id of expired session. in simple words just by setting an attribute in session you cannot trigger two sets of actions.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Satish Kumar:

...
In simple words just by setting an attribute in session you cannot trigger two sets of actions.


Not true, if your object implements SessionAttributeListener, you can trigger as many actions as you like by setting an attribute.

I don't think this will help you though.
Can you tell us why you care whether the user has just entered the site or has hit the site after the session has expired? Maybe with a little more information about what you're trying to do, someone will be able to suggest a solution.
devi sam
Greenhorn

Joined: Nov 25, 2010
Posts: 9
Satish Kumar wrote:how can we determine whether a session has been timed out. (to redirect to a custom page if session has been timed out.)
using session.isnew() and isRequestedSessionIdValid() methods from HttpServletRequest returns true even before the login.
what is the way to differentiate the two events 1) before login 2) login and session time out.

please suggest appropriate way to do this.


Did you get the solution for this problem? now i am having the same doubt ... if you have any solution means please suggest me..

Thanks in advance
d edgar
Greenhorn

Joined: Apr 09, 2010
Posts: 4
I haven't specifically solved this problem, but I always thought that because the session is going to disappear on you, voided by the container, you would need a placemarker to remind you that the incoming request had been there before.

Therefore, set a Cookie manually, with a bigger maxAge than you know your session will use.

Good luck Devi, and let us know what you find.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: handling session time out